Bug#790943: Root and local certificate location clash
severity 790943 normal
thanks
On Friday 03 July 2015 10:56:54, Daniel Pocock wrote:
> I've marked this bug serious because it could lead to security
> problems if people mix root certs and other certs in the same
> directory
The certificates generated by make-ssl-cert all have "X509v3 Basic
Constraints: CA:FALSE". Any program that accepts such certificates as
trusted root certificate already has a serious security problem.
Therefore I don't think the policy of make-ssl-cert to put certs into
/etc/ssl/certs creates additional security issues. I am downgrading
the bug accordingly.
I am not really against putting server and ca certificate into
separate directories. But some Debian-wide default would be nice, of
course. Maybe we can discuss that at Debconf?
Reply to: